Cloud incidents like ransomware attacks, distributed denial-of-service (DDoS) attacks and account compromise can bring operations to a halt and create a situation in which costs, reputation and customer trust are at stake.
What happens when your cloud environment falls under attack? How do you mitigate organizational impact step by step?
Unit 42 helps cybersecurity pros understand how cloud investigations differ from traditional incidents, and what matters most when time is critical.
Scope and Mindset for Cloud Investigations
According to the Unit 42 2025 Global Incident Response Report, 29% of incident investigations conducted in 2024 involved cloud or SaaS environments. One in five incidents involved threat actors adversely impacting cloud environments and assets. With entire business models relying on cloud-native architecture, it is vital to protect cloud surfaces.
Traditional incident investigations focus heavily on endpoints and network activity, so cloud investigations require a mindset shift. When cloud environments are breached, investigations primarily focus on investigating identities, misconfigurations and service interactions.
Unit 42 Cloud Incident Response begins each investigation by asking several questions:
- What is the overall impact?
- What logs do we have or lack?
- Are identity/service misuse, automated actions or API exploitation contributing factors?
We’ll now go through the process, step by step.
Step 1: Triage and Scoping
Cloud investigations begin with triage and scoping. Investigators will do two things:
- Establish a timeline.
When did the abnormal activity begin? How was it detected? Is it ongoing? - Determine what cloud assets are involved.
Does the incident involve virtual machines? What about identity and access management (IAM), cloud storage, containers, etc.?
Log gaps can be a major challenge due to misconfigurations or retention issues. Incident responders often uncover these problems during an engagement, which can be too late and obfuscate threat actor activity.
Tip: Before any incidents occur, ensure you’ll have the data to investigate breaches properly:
- Enable logging within the CSP and retain the data for a minimum of 90 days.
- Enable additional logs specifically for tracking activity against your most sensitive resources.
- Ensure these logs are properly stored and encrypted to prevent any data loss if they are accessed by unauthorized parties.
- Centralize logs and apply machine learning and AI to correlate alerts.
Step 2: Evidence Collection
Once the incident has been triaged, evidence collection begins for investigators:
- Collect audit logs, resource-specific logs and snapshots.
- These can provide details on what resources the attacker can access.
- Work with teams to capture volatile artifacts before they disappear.
- Cloud environments are fast-moving and ephemeral, so anything that could assist the investigation needs to specifically be saved.
- Image cloud virtual machines (VMs) or containers.
- These images involve taking snapshots of virtual machines and their attached volumes.
This evidence enables understanding the attack and speedy remediation.
“In one investigation, the organization successfully mitigated an attack, only to be compromised again a short time later. Our investigators discovered that threat actors had automated exploitation of a vulnerability within a service used within the organization’s cloud-based products. By combining this with using anti-forensic techniques to hide activity, the threat actor was able to regain access to the organization and its clients even after internal teams appeared to have successfully removed them.”
–2025 Unit 42 Global Incident Response Report, page 12
Step 3: Identity and Role Forensics
The majority of cloud breaches begin with compromised and overpermissioned identities. Bad actors gaining access to one admin-level account could wipe out business data or infrastructure. They could even provide themselves more SSH certificates or keys to enable attack persistence.
Attackers often use legitimate credentials. Behavioral baselining and anomaly detection via user and entity behavior analytics (UEBA) or Cortex XSIAM® is key.
During this step, the Unit 42 team will investigate:
- IAM configurations
- Assume-role patterns
- Federated login logs
- Privilege escalation attempts
One red flag investigators search for is excessive or unexpected identity hopping. Tracing how permissions are passed between identities, services or accounts is challenging but important.
Step 4: Uncovering Lateral Movement and Persistence
Cloud environments are often interconnected with the same set of credentials, depending on the architecture. Once inside, cloud-native lateral movement might involve attackers moving across regions, services or identities. Resource sprawl, the third-party ecosystem, as well as other factors can make these advancements difficult to detect.
Living-off-the-land (LotL) and modify-the-land (MtL) techniques also help them evade detection, because they abuse existing resources rather than import new, malicious ones (like malware).
To detect these attacks, teams must detect anomalies, not just signatures. That requires establishing a baseline of behavior. Once a baseline is achieved, you can flag unusual API calls, new role assumptions or atypical access patterns that are beyond failed logins.
Step 5: Containment, Eradication and Recovery
This step of a cloud incident investigation can be broken down into three parts:
Containment of Compromised Assets
Containment needs to be fast and surgical to avoid alerting the attacker or impacting production/operations. Investigators will revoke credentials, restrict IAM permissions and quarantine virtual machines, preferably all at once.
Eradication of Attacker Persistence
All possible sources of attacker persistence identified above need to be blocked. Eradication includes identifying persistence mechanisms, validating configuration changes and revoking tokens or rotating credentials.
Recovery of Business Operations
Recovery involves validating the integrity of cloud services, along with patching and monitoring exploited attack vectors.
For faster incident containment and recovery, Unit 42 has several recommendations:
- Enable and centralize logs.
- Define various cloud IR playbooks.
- Prepare cloud sandboxes for forensics.
Learn from Past Experiences to Secure Future Environments
Ensure the tools to gather images and logs are set up along with your cloud environment, so you always have the evidence needed to investigate the cause of a breach. Understand the roles and identities involved, look for signs of attacker persistence and then contain and eradicate the intrusion. Once the attack is stopped, your security experts should analyze the data to identify the attack vector and close it.
Institutionalize lessons learned from previous incidents. As cloud adoption increases so will cloud-native attacks. Unit 42 can help you take a proactive stance against cloud attacks. Our approach identifies root causes and uses lessons learned, so clients increase their resiliency.
- Gain visibility: Get a complete picture of where your organization stands with our Unit 42 Cloud Security Assessment, which includes an analysis of cloud threat trends and adversaries related to your business and technology.
- Adopt zero trust: Taking incremental steps toward zero trust is pivotal to shrinking your cloud’s attack surface. Our Unit 42 Zero Trust Advisory helps you see where you stand today and helps you adopt a modern cybersecurity approach that eliminates implicit trust.
- Get elite backup: With a Unit 42 Retainer, our experts become an extension of your team. We’ll be on speed dial in case of an incident, and we’ll help you achieve a proactive stance against tomorrow’s threats.
Ready to fortify your cloud defenses? Read the 2025 Global Incident Response Report for key insights from 500+ Unit 42 IR cases last year to help you better navigate the changing threat landscape.
Key Takeaways:
- Cloud incidents are increasing and require a shift in investigation mindset: Cloud and SaaS environments are increasingly targeted in incident investigations (29% in 2024), necessitating a focus on identities, misconfigurations and service interactions rather than traditional endpoints and network activity.
- Proactive logging and evidence collection are crucial: To effectively respond to cloud incidents, organizations must enable and centralize logs, retain data for a minimum of 90 days, and collect volatile artifacts and virtual machine images promptly. Log gaps due to misconfigurations or retention issues can significantly hinder investigations.
- Identity and lateral movement are key areas of focus for attackers: The majority of cloud breaches begin with compromised identities. Attackers often use legitimate credentials and employ "living-off-the-land" and "modify-the-land" techniques to move laterally and maintain persistence. Detecting these attacks requires behavioral baselining and anomaly detection.